Add support to additionally tag an existing OCI manifest

Signed-off-by: Tobias Wolf <[email protected]>

Author: NotTheEvilOne

.github/actions/features_parse/action.yml

@@ -11,7 +11,7 @@ outputs:
 runs:
   using: composite
   steps:
-    - uses: gardenlinux/python-gardenlinux-lib/.github/actions/[email protected].0
+    - uses: gardenlinux/python-gardenlinux-lib/.github/actions/[email protected].1
     - id: result
       shell: bash
       run: |

.github/actions/flavors_parse/action.yml

@@ -13,7 +13,7 @@ outputs:
 runs:
   using: composite
   steps:
-    - uses: gardenlinux/python-gardenlinux-lib/.github/actions/[email protected].0
+    - uses: gardenlinux/python-gardenlinux-lib/.github/actions/[email protected].1
     - id: matrix
       shell: bash
       run: |

.github/actions/setup/action.yml

@@ -4,7 +4,7 @@ description: Installs the given GardenLinux Python library
 inputs:
   version:
     description: GardenLinux Python library version
-    default: "0.9.0"
+    default: "0.9.1"
   python_version:
     description: Python version to setup
     default: "3.13"

pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "gardenlinux"
-version = "0.9.0"
+version = "0.9.1"
 description = "Contains tools to work with the features directory of gardenlinux, for example deducting dependencies from feature sets or validating cnames"
 authors = ["Garden Linux Maintainers <[email protected]>"]
 license = "Apache-2.0"

src/gardenlinux/oci/__main__.py

@@ -31,26 +31,28 @@ def cli():
     help="Container Name",
 )
 @click.option(
-    "--version",
-    required=True,
-    type=click.Path(),
-    help="Version of image",
+    "--cname", required=True, type=click.Path(), help="Canonical Name of Image"
 )
 @click.option(
-    "--commit",
+    "--arch",
     required=False,
     type=click.Path(),
     default=None,
-    help="Commit of image",
+    help="Target Image CPU Architecture",
 )
 @click.option(
-    "--arch",
-    required=True,
+    "--version",
+    required=False,
     type=click.Path(),
-    help="Target Image CPU Architecture",
+    default=None,
+    help="Version of image",
 )
 @click.option(
-    "--cname", required=True, type=click.Path(), help="Canonical Name of Image"
+    "--commit",
+    required=False,
+    type=click.Path(),
+    default=None,
+    help="Commit of image",
 )
 @click.option("--dir", "directory", required=True, help="path to the build artifacts")
 @click.option(
@@ -76,10 +78,10 @@ def cli():
 )
 def push_manifest(
     container,
+    cname,
+    arch,
     version,
     commit,
-    arch,
-    cname,
     directory,
     cosign_file,
     manifest_file,
@@ -107,6 +109,76 @@ def push_manifest(
         print(manifest.digest, file=open(cosign_file, "w"))
 
 
+@cli.command()
+@click.option(
+    "--container",
+    required=True,
+    type=click.Path(),
+    help="Container Name",
+)
+@click.option(
+    "--cname",
+    required=False,
+    type=click.Path(),
+    default=None,
+    help="Canonical Name of Image"
+)
+@click.option(
+    "--arch",
+    required=False,
+    type=click.Path(),
+    default=None,
+    help="Target Image CPU Architecture",
+)
+@click.option(
+    "--version",
+    required=False,
+    type=click.Path(),
+    default=None,
+    help="Version of image",
+)
+@click.option(
+    "--commit",
+    required=False,
+    type=click.Path(),
+    default=None,
+    help="Commit of image",
+)
+@click.option(
+    "--insecure",
+    default=False,
+    help="Use HTTP to communicate with the registry",
+)
+@click.option(
+    "--tag",
+    required=True,
+    multiple=True,
+    help="Tag to push the manifest with",
+)
+def push_manifest_tags(
+    container,
+    cname,
+    arch,
+    version,
+    commit,
+    insecure,
+    tag,
+):
+    """
+    Push artifacts and the manifest from a directory to a registry.
+
+    :since: 0.7.0
+    """
+
+    container = Container(
+        f"{container}:{version}",
+        insecure=insecure,
+    )
+
+    manifest = container.read_or_generate_manifest(cname, arch, version, commit)
+    container.push_manifest_for_tags(manifest, tag)
+
+
 @cli.command()
 @click.option(
     "--container",

src/gardenlinux/oci/container.py

@@ -83,11 +83,21 @@ def __init__(
             self._container_version = container_data[1]
 
         container_url_data = urlsplit(self._container_url)
+        self._token = None
+
+        if token is None:
+            token = getenv("GL_CLI_REGISTRY_TOKEN")
+
+        if token is not None:
+            auth_backend = "token"
+            self._token = b64encode(token.encode("utf-8")).decode("utf-8")
+        else:
+            auth_backend = "basic"
 
         Registry.__init__(
             self,
             hostname=container_url_data.netloc,
-            auth_backend="token",
+            auth_backend=auth_backend,
             insecure=insecure,
         )
 
@@ -97,11 +107,7 @@ def __init__(
         self._container_name = container_url_data.path[1:]
         self._logger = logger
 
-        if token is None:
-            token = getenv("GL_CLI_REGISTRY_TOKEN")
-
-        if token is not None:
-            self._token = b64encode(token.encode("utf-8")).decode("utf-8")
+        if self._token is not None:
             self.auth.set_token_auth(self._token)
         else:
             # Authentication credentials from environment
@@ -520,14 +526,14 @@ def read_or_generate_index(self):
 
     def read_or_generate_manifest(
         self,
-        cname: str,
+        cname: Optional[str] = None,
         architecture: Optional[str] = None,
         version: Optional[str] = None,
         commit: Optional[str] = None,
         feature_set: Optional[str] = None,
     ) -> Manifest:
         """
-        Reads from registry or generates the OCI image manifest.
+        Reads from registry or generates the OCI manifest.
 
         :param cname: Canonical name of the manifest
         :param architecture: Target architecture of the manifest
@@ -539,19 +545,26 @@ def read_or_generate_manifest(
         :since:  0.7.0
         """
 
-        if architecture is None:
-            architecture = CName(cname, architecture, version).arch
+        if cname is None:
+            response = self._get_manifest_without_response_parsing(self._container_version)
+        else:
+            if architecture is None:
+                architecture = CName(cname, architecture, version).arch
 
-        response = self._get_manifest_without_response_parsing(
-            f"{self._container_version}-{cname}-{architecture}"
-        )
+            response = self._get_manifest_without_response_parsing(
+                f"{self._container_version}-{cname}-{architecture}"
+            )
+        #
 
         if response.ok:
             manifest = Manifest(**response.json())
         elif response.status_code == 404:
-            manifest = self.generate_manifest(
-                cname, architecture, version, commit, feature_set
-            )
+            if cname is None:
+                manifest = Manifest()
+            else:
+                manifest = self.generate_manifest(
+                    cname, architecture, version, commit, feature_set
+                )
         else:
             response.raise_for_status()
 

tests/conftest.py

@@ -1,16 +1,16 @@
+from datetime import datetime, timedelta
+from tempfile import mkstemp
 import json
 import os
 import shutil
 import subprocess
 import sys
-import tempfile
 import pytest
 
 from cryptography import x509
 from cryptography.x509.oid import NameOID
 from cryptography.hazmat.primitives import hashes, serialization
 from cryptography.hazmat.primitives.asymmetric import rsa
-from datetime import datetime, timedelta
 from dotenv import load_dotenv
 from gardenlinux.features import Parser
 
@@ -26,6 +26,7 @@
     TEST_FEATURE_STRINGS_SHORT,
     TEST_ARCHITECTURES,
 )
+
 from .helper import call_command, spawn_background_process
 
 
@@ -80,11 +81,6 @@ def generate_test_certificates():
     print(f"Generated test certificates in {CERT_DIR}")
 
 
-def write_zot_config(config_dict, file_path):
-    with open(file_path, "w") as config_file:
-        json.dump(config_dict, config_file, indent=4)
-
-
 def create_test_data():
     """Generate test data for OCI registry tests (replaces build-test-data.sh)"""
     print("Creating fake artifacts...")
@@ -127,20 +123,38 @@ def create_test_data():
                         f.write(f"dummy content for {file_path}")
 
 
+def write_zot_config(config_dict, fd):
+    with os.fdopen(fd, "w") as fp:
+        json.dump(config_dict, fp, indent=4)
+
+
 @pytest.fixture(autouse=False, scope="function")
 def zot_session():
     load_dotenv()
     print("start zot session")
+
+    fd, htpasswd_file = mkstemp(dir=TEST_DATA_DIR, suffix=".htpasswd")
+    os.close(fd)
+
     zot_config = {
         "distSpecVersion": "1.1.0",
         "storage": {"rootDirectory": "output/registry/zot"},
-        "http": {"address": "127.0.0.1", "port": "18081"},
+        "http": {
+            "address": "127.0.0.1",
+            "port": "18081",
+            "auth": {"htpasswd": {"path": f"{htpasswd_file}"}},
+            "accessControl": {
+                "repositories": {
+                    "**": {"anonymousPolicy": ["read", "create", "update", "delete"]},
+                    "protected/**": {"anonymousPolicy": []},
+                }
+            },
+        },
         "log": {"level": "warn"},
     }
 
-    with tempfile.NamedTemporaryFile(delete=False, suffix=".json") as temp_config_file:
-        write_zot_config(zot_config, temp_config_file.name)
-        zot_config_file_path = temp_config_file.name
+    fd, zot_config_file_path = mkstemp(text=True, dir=TEST_DATA_DIR, suffix=".json")
+    write_zot_config(zot_config, fd)
 
     print(f"Spawning zot registry with config {zot_config_file_path}")
     zot_process = spawn_background_process(
@@ -156,6 +170,8 @@ def zot_session():
 
     if os.path.isdir("./output"):
         shutil.rmtree("./output")
+    if os.path.isfile(htpasswd_file):
+        os.remove(htpasswd_file)
     if os.path.isfile(zot_config_file_path):
         os.remove(zot_config_file_path)